1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

131592 Commits

Author SHA1 Message Date
Jeremy Allison
6f149dfd9d s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_FLUSH
compound if we immediately close the file afterward.

Internally the flushes go async and we free the req, then
we process the close. When the flushes complete they try to access
already freed data.

Extra test which will allow me to test when the final
component (flush) of the compound goes async and returns
NT_STATUS_PENDING.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-11-17 04:58:28 +00:00
Jeremy Allison
17a110c1b5 s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_CLOSE
compound. Internally the flush goes async and
we free the req, then we process the close.
When the flush completes it tries to access
already freed data.

Found using the Apple MacOSX client at SNIA SDC 2022.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-11-17 04:58:28 +00:00
Noel Power
f6284877ce nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 16 19:29:21 UTC 2022 on sn-devel-184
2022-11-16 19:29:21 +00:00
Andreas Schneider
ebaafb2375 gitlab-ci: Update Fedora to version 37
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 16:29:30 UTC 2022 on sn-devel-184
2022-11-16 16:29:30 +00:00
Jeremy Allison
7cb5040551 nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Nov 16 15:09:45 UTC 2022 on sn-devel-184
2022-11-16 15:09:45 +00:00
Noel Power
0fd7b13ebc s4:lib:tls: Don't negotiate session resumption with session tickets
tls_tstream can't properly handle 'New Session Ticket' messages
sent 'after' the client sends the 'Finished' message.

This is needed because some servers (at least elasticsearch) wait till
they get 'Finished' messgage from the client before sending the
"New Ticket" message.

Without this patch what typcially happens is when the application code
sends data it then tries to read the response, but, instead of the
response to the request it actually recieves the "New Session Ticket"
instead. The "New Session Ticket" message gets processed by the upper layer
logic e.g.
   tstream_tls_readv_send
       ->tstream_tls_readv_crypt_next
           ->tstream_tls_retry_read
               ->gnutls_record_recv

instead of the core gnutls routines.

This results in the response processing failing due to the
currently 'unexpected' New Ticket message.

In order to avoid this scenario we can ensure the client doesn't
negotiate resumption with session tickets.

Signed-off-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184
2022-11-16 09:58:44 +00:00
Jeremy Allison
f0ca954610 s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.
Can easily be seen by doing make test TESTS=fruit
and looking in st/nt4_dc/smbd_test.log.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15210

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 16 06:00:56 UTC 2022 on sn-devel-184
2022-11-16 06:00:56 +00:00
Joseph Sutton
434f461e9e CVE-2022-42898 third_party/heimdal: PAC parse integer overflows
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203

Heavily edited by committer Nico Williams <nico@twosigma.com>, original by
Joseph Sutton <josephsutton@catalyst.net.nz>.

Signed-off-by: Nico Williams <nico@twosigma.com>

[jsutton@samba.org Zero-initialised header_size in krb5_pac_parse() to
 avoid a maybe-uninitialized error; added a missing check for ret == 0]

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Nov 15 17:02:52 UTC 2022 on sn-devel-184
2022-11-15 17:02:52 +00:00
David Mulder
15696da015 gp: Fix startup scripts add not always set runonce
The runonce is always being set because neither
True nor False is ever None.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 15 02:09:45 UTC 2022 on sn-devel-184
2022-11-15 02:09:45 +00:00
David Mulder
4321be515b gp: Fix startup scripts list not fail with empty args
This fixes the startup scripts list command to
not fail when the parameters variable is empty.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-15 01:08:38 +00:00
David Mulder
f04f205d27 gp: startup scripts list enclude newline in output
The output for listing startup scripts wasn't
clear because there was no newline between
entries.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-15 01:08:38 +00:00
David Mulder
3bee89c1cf gp: startup scripts add clarify 'args' option
Make sure it is clear how to specify args for the
command, and that multiple args can be passed
wrapped in quotes.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-15 01:08:38 +00:00
David Mulder
096a323a8c gp: Fix startup scripts add args
The args for the command could not be parsed
because samba-tool detects the '-' and thinks its
part of the samba-tool command.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-15 01:08:38 +00:00
Jeremy Allison
fa4eba131b s3: smbd: Always use metadata_fsp() when processing fsctls.
Currently all fsctls we implement need the base fsp, not
an alternate data stream fsp. We may revisit this later
if we implement fsctls that operate on an ADS.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 14 18:13:31 UTC 2022 on sn-devel-184
2022-11-14 18:13:31 +00:00
Jeremy Allison
abc4495e45 s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-14 17:13:36 +00:00
David Mulder
2ea3adfd04 gp: Test that Password and Kerberos policies fail on unknown key
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 12 01:34:17 UTC 2022 on sn-devel-184
2022-11-12 01:34:17 +00:00
David Mulder
3ad8e8d4d4 gp: Password and Kerberos policies fail on unknown key
If unrecognized keys are set in the GptTmpl.inf,
the extensions would fail to apply.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-12 00:34:34 +00:00
Volker Lendecke
09e9dd576d torture: Test the "server addresses" parameter
Thanks to Metze for the hint that all file servers already listen on 2
addressess -- V4 and V6 :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Nov 10 08:23:14 UTC 2022 on sn-devel-184
2022-11-10 08:23:14 +00:00
Volker Lendecke
f9a3a6b434 testprogs: Fix testit_expect_failure_grep()
Callers expect success (i.e. retval==0) if grep failed with non-zero
error status.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Volker Lendecke
55feb59301 testprogs: Add testit_grep_count() helper
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Volker Lendecke
e24481251d srvsvc: Only list shares in "server addresses"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Volker Lendecke
23167a4dd7 smbd: Implement "server addresses" for tree connect
Only allow share connections if the server address matches

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Volker Lendecke
9321a533cd lib: Add lp_allow_local_address()
Helper function for listing and accessing shares

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Volker Lendecke
d9c4f94e4f smbd: Add "server addresses" parameter
This is a per-share parameter to limit share visibility and
accessibility to specific server IP addresses.

This can be used to limit the visibility and accessibility of shares
on different subnets offered by the server.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Volker Lendecke
12edd038cf smbd: Some whitespace fixes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-11-10 07:27:31 +00:00
Andreas Schneider
4a68d43b7b third_party: Update nss_wrapper to version 1.1.13
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov  9 23:15:07 UTC 2022 on sn-devel-184
2022-11-09 23:15:07 +00:00
Jeremy Allison
10537a89bb s4: libcli: Ignore errors when getting A records after fetching AAAA records.
The target may only be available over IPv6.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15226

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov  9 20:34:07 UTC 2022 on sn-devel-184
2022-11-09 20:34:07 +00:00
Stefan Metzmacher
76adda9d2f lib/replace: fix memory leak in snprintf replacements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15230

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Nov  9 11:18:02 UTC 2022 on sn-devel-184
2022-11-09 11:18:02 +00:00
David Mulder
3030813765 gp: Ignore crontab -l error, since it means empty
We should not fail when crontab -l errors, this
just means the crontab is empty.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov  8 22:33:37 UTC 2022 on sn-devel-184
2022-11-08 22:33:37 +00:00
Joseph Sutton
612eeff270 tests/krb5: Add tests of PAC group handling
In which we make AS and TGS requests and verify the SIDs we expect are
returned in the PAC.

Example command to test against Windows Server 2019 functional level
2016 with FAST enabled:

ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 DC_SERVER=ADDC.EXAMPLE.COM \
DOMAIN=EXAMPLE EXPECT_PAC=1 FAST_SUPPORT=1 KRB5_CONFIG=krb5.conf \
PYTHONPATH=bin/python REALM=EXAMPLE.COM SERVER=ADDC.EXAMPLE.COM \
SKIP_INVALID=1 SMB_CONF_PATH=smb.conf STRICT_CHECKING=1 \
TKT_SIG_SUPPORT=1 python3 python/samba/tests/krb5/group_tests.py

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov  8 03:37:37 UTC 2022 on sn-devel-184
2022-11-08 03:37:37 +00:00
Joseph Sutton
53f9ac4b6f tests/krb5: Allow checking domain SID in PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
8556576d8d tests/krb5: Overhaul PAC logon info group checking
We can now verify attributes of SIDs and the PAC locations in which SIDs
are placed. We also gain the ability to assert that no SIDs are present
in the PAC other than the ones we expect.

We lighten somewhat the requirement that no duplicates are present among
the SIDs, as such a situation may arise even with Windows, especially if
group types are changed. For example, if a Universal group containing a
user is changed to a Domain-Local group in between an AS-REQ and a
TGS-REQ, the group's SID will be added to the PAC once for each request.
We only verify that there are no exact duplicates (SID, attributes, and
PAC location all being identical).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
5a613db6f5 tests/krb5: Add (un)expected group parameters to get_service_ticket() and get_tgt()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
f59f696800 tests/krb5: Allow creating accounts without Resource SID compression support
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
29723765b3 tests/krb5: Allow adding multiple members to a group
As well as passing in a single 'str', we can now choose to pass a
collection of member DN strings.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
3a13e3b666 tests/krb5: Allow creating groups with a specified type
This will be useful for testing the handling of Domain-Local groups.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
6674f67537 tests/krb5: Fix bits_to_etypes() to not fail on Resource SID compression bit
It's not an encryption type bit, so we should ignore it here.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
90f39b6959 tests/krb5: Remember to pass in expected_groups parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
0161d37574 tests/krb5: Remove unused copy-and-paste remnant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Stefan Metzmacher
bdbe5c5a32 s4:kdc: add initial support for compound claims
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Stefan Metzmacher
f96fbe6eb1 s4:kdc: fetch client_claims_blob from samba_kdc_get_pac_blobs()
The blob will be empty until we properly support claims.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Stefan Metzmacher
03250eefaa s4:kdc: pass client_claims, device_info, device_claims into samba_make_krb5_pac()
This allows us to add claims blobs to the PAC once we have the ability
to create them.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
aa62775eb4 s4-auth: Make PAC parameters const
These functions have no need to modify the PACs passed in, and this
change permits us to operate on const PACs in the KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
7d3416e8cb krb5: Detect support for krb5_const_pac type
We can't unconditionally assume (as we did in
third_party/heimdal_build/wscript_configure) that Heimdal has this type,
since we may have an older system Heimdal that lacks it. We must also
check whether krb5_pac_get_buffer() is usable with krb5_const_pac, and
declare krb5_const_pac as a non-const typedef if not.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
6fe6992258 wafsamba: Have CHECK_C_PROTOTYPE() pass through 'lib' into CHECK_CODE()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
a3ee0ce255 wscript: Correctly determine dependencies for system Heimdal build
Previously, the call to CHECK_BUNDLED_SYSTEM() in
check_system_heimdal_lib() could have us pick up MIT Kerberos headers
when we should only be using system Heimdal headers. Now, we just
perform an explicit check for the functions we require, which should
avoid any use of the MIT libraries.

We also remove some library checks for Heimdal components that we don't
use directly, restricting the checks to only the functions we need.

Finally, we no longer need to recurse into third_party/heimdal_build
when performing a system Heimdal build.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Joseph Sutton
77bb72d672 build: Remove unused dependencies
We don't need to include these any more, and removing them allows us to
simplify the build system for system Heimdal builds.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08 02:39:37 +00:00
Volker Lendecke
be1431a893 smbd: Don't hide directories with "hide new files timeout"
The intention of this option was to hide *files*. Before this patch we
also hide directories where new files are dropped.

This is a change in behaviour, but I think this option is niche enough
to justify not adding another parameter that we then need to test. If
workflows break with this change and people depend on directories also
to be hidden, we can still add the additional option value required.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov  7 22:58:33 UTC 2022 on sn-devel-184
2022-11-07 22:58:33 +00:00
Volker Lendecke
e8848a3eab torture: Show that "hide new files timeout" also hides directories
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-07 21:57:33 +00:00
Volker Lendecke
8b4a3c12a0 torture3: Run the "hidenewfiles" test against SMB2
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-07 21:57:33 +00:00